lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <du6s84$8a9$1@sea.gmane.org>
Date: Thu Mar  2 13:34:38 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: Re: Question about Mac OS X 10.4 Security

Paul Schmehl wrote:
> --On Thursday, March 02, 2006 08:57:18 +1100 mz4ph0d@...il.com wrote:
>>
>> Sorry to spoil everyone's fun.
>> <http://docs.info.apple.com/article.html?artnum=303382>
>>
>> Maybe, just maybe, Apple are actually better (able/positioned) to
>> respond quickly to vulnerabilities before the exploits in-the-wild
>> affect more than 50 people? Who knows.
>>
> It doesn't look like it.  They seem to have addressed the
> vulnerability as it applies to Safari, but not the underlying
> vulnerability.

  I don't know how you deduce that Z was referring to the Safari problem(s), 
I thought it might have been the one about the mailer failing to warn for 
some unsafe attachment types.

>If I send you an email, with a zip attachment (naming
> and extension is irrelevant), and I can get you to attempt to open
> the attachment (fairly trivial with many users), I can execute
> abitrary code on your machine.  The only "restriction" is that, if I
> attempt to execute code that requires admin privileges, I'd have to
> convince you to type in your password (again, fairly trivial for most
> users.)

  Exactly.  Some of the most successful viruses recently have arrived inside 
encrypted zip files, with a GIF as an attachment, that contains a password 
in graphical format, and the user has to open the gif attachment and note 
down the password and open the zip and enter the password and extract the 
executable and run it.

  And they /did/, in their droves.

  No matter what kind of protection Apple put in place, no matter how 
quickly they fix drive-by-install vulnerabilities, no matter how big the 
warning dialog that mail pops up when it detects executable files and even 
if it isn't spoofable - people will still do it.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ